A computer virus has been defined by Frederick B. Cohen as a program that can infect other programs by modifying them to include a, possibly evolved, version of itself (A Short Course on Computer Viruses, ASP Press, Pittsburg, 1990, page 11).
As employed herein, a computer virus is considered to include an executable assemblage of computer instructions or code that is capable of attaching itself to a computer program. The subsequent execution of the viral code may have detrimental effects upon the operation of the computer that hosts the virus. Some viruses have an ability to modify their constituent code, thereby complicating the task of identifying and removing the virus.
A worm is a program or collection of programs that can cause a possibly evolved version of itself to be executed on the same or possibly on a different computer.
A Trojan Horse is a block of undesired code that is intentionally hidden within a block of desirable code.
Both computer viruses, worms, and Trojan Horses are considered to be members of a class of undesirable software entities, the presence of which within a data processor, or network of data processors, is to be avoided so as to maintain computational integrity.
A widely-used method for the detection of computer viruses is known as a virus scanner. A virus scanner employs short strings of bytes to identify particular viruses in executable files, boot records, or memory. The byte strings (referred to as signatures) for a particular virus must be chosen with care such that they always discover the virus, if it is present, but seldom give a "false alarm", known as a false positive. That is, the signature must be chosen so that the byte string is one that is unlikely to be found in programs that are normally executed on the computer. Typically, a human expert makes this choice by converting the binary machine code of the virus to an assembler version, analyzing the assembler code, selecting sections of code that appear to be unusual or virus-like, and identifying the corresponding bytes in the binary machine code so as to produce the signature. Wildcard bytes can be included within the signature to provide a match with any code byte appearing in a virus.
Currently, a number of commercial computer virus scanners are successful in alerting users to the presence of viruses that are known apriori. However, conventional virus scanners are typically unable to detect the presence of computer viruses which they have not been programmed to detect explicitly. The problem of dealing with new viruses has typically been addressed by distributing updates of scanning programs and/or auxiliary files containing the necessary information for identifying the latest viruses. However, the increasing rate at which new viruses are being written is widening the gap between the number of viruses that exist and the number of viruses that can be detected by an appreciable fraction of computer users. As a result, it is becoming increasingly likely that a new virus will become wide-spread before any remedy is generally available.
At least one mechanism to inform other computers connected to a network of a presence of a viral infection has been previously advanced. For example, a "net hormones" concept has been proposed by David Stodolsky, wherein every computer on a network keeps archives of all potential virus-carrying contacts with every other computer. When a computer finds that it is infected with a virus, it sends a message to every computer that it has ever contacted or been contacted by, which in turn send messages to all of their contactees or contactors, etc. However, it is believed that this approach will result in most or all computers quickly becoming overloaded by infection messages from most of the other computers on the network.
As such, a need has arisen to develop methods for automatically recognizing and eradicating previously unknown or unanalyzed viruses on individual computers and computer networks. An efficient method is also required for informing other computers on the network as to the existence of a computer virus within the network.
It is an object of this invention to provide methods and apparatus to automatically detect and extract a signature from an undesirable software entity, such as a computer virus or worm.
It is further object of this invention to provide methods and apparatus for immunizing a computer system, and also a network of computer systems, against a subsequent infection by a previously unknown and undesirable software entity.